SourceCodester Sales and Inventory System SQL Injection Vulnerability in View Supplier Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the view_supplier.php file, specifically within the POST parameter handler. The vulnerability arises because the searchtxt parameter is not properly sanitized, allowing authenticated attackers to inject arbitrary SQL commands. This exploitation can lead to unauthorized data access and manipulation.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data exfiltration, and manipulation of database contents. The vulnerability has been confirmed to allow UNION-based, Boolean-based, and Time-based SQL injection attacks.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the supplier list page. Use the search bar to submit a SQL injection payload through the searchtxt parameter. Alternatively, capture the request with a tool like Burp Suite and inject the payload manually. The vulnerability can also be exploited using SQLMap by targeting the view_supplier.php file with a crafted POST request that includes the malicious SQL payload in the searchtxt parameter.